Is Your Contact Center HIPAA Compliant?

Today, compliance is largely manual. It is a once-in-a-year ritual where an organization scrambles to gather evidence for an impending audit. Upon completion of the audit, people heave a sigh of relief until the next audit cycle. However, in today’s complex and ever changing regulatory environment, there is a dire need for automation and a need for continuous compliance. Manually managing compliance or non-compliance is not an option anymore.

This is the first post in a series of topics and discussions about handling Health Insurance Portability and Accountability Act (HIPAA) compliance. We discuss the impact of HIPAA on the communication infrastructure of a provider. In subsequent articles, we will show how Assertion – a compliance automation platform, can be used to automate HIPAA.

Verifying Compliance at the Healthcare Contact Center

The healthcare contact center utilizes all the popular communication channels that a traditional contact center uses and is evolving in the ways that it can add value to a medical organization. It is the agent’s responsibility to quickly drive patients to the correct resources without affecting patient satisfaction and while staying compliant with HIPAA.  

Healthcare contact centers have to deal with privacy and data protection on an entirely different scale and are increasingly being held accountable to ensure their communication infrastructure is HIPAA compliant. Healthcare service providers must guarantee their communication network  

  • is accessible only to users within the private network  
  • prevents the transmission of electronic health information outside the network
  • encrypts all communication that passes through all channels within the network
  • ensures compliance safeguards thru audits, ongoing training, and maintenance of policies and procedures

The telephony and internet service providers for the healthcare enterprise are also accountable for these compliance rules and can take legal action against the enterprise that has failed. Many large organizations have had to re-architect their entire communication infrastructure in the aftermath of a failed compliance audit, with weeks of disruptions to their operations, and the consequent financial implications.

The Office of Civil Rights (OCR) discovered that in cases pertaining to contact centers, employees leaving voice messages for patients were not following confidential communications requirements.  The examples below are from case studies reported on the HHS.gov website

  • More information than the minimum required information was provided over voice message.
  • The employee did not leave the message on the patient’s preferred mobile line and instead left the message on their home answering machine.
  • The fax cover page contained Protected Health Information (PHI).

The charts below illustrate all types and locations of breaches from 2016-2018 as reported by the U.S. Department of Health and Human Services OCR. The examples above pertain to unauthorized access/disclosure and other portable electronic devices and paper/films.

Types of Breaches (OCR Breach Portal) 

Location of Breached Information 2016-2018 (OCR Breach Portal):

 

Continuous tracking of the compliance risk, followed by mitigation and remediation strategies, are an essential facet of compliance management. The complexity of the systems and solutions involved, and the multiple potential paths to a violation have made it increasingly apparent that automated mechanisms, rather than manual tracking, is the way forward.

Is Your Call Center HIPAA compliant?

OCR issues the final rule that all covered entities and business associates must comply with to strengthen the privacy and security protections under HIPAA. Every healthcare organization operating a call center needs to ensure that it is compliant to HIPAA regulations.

The questions below summarize these regulations. If the answer is yes to any of these questions, then consider an immediate compliance audit and remediation:

  • Do phones have unique user id and authentication, numbers and serial numbers on the phone?
  • Do phone systems support different classes of users that have varying levels of privileges beyond making calls?
  • Do phones systems record metadata, including activities of all users?
  • Are calls recorded?
  • Are voicemails saved?  
  • Are appropriate encryption standards used to protect phones and communication software?
  • Do business associate agreements exist where cloud-based VoIP solutions are used, keeping in mind that cloud systems will require additional compliance guidelines be followed?

As a healthcare contact center, it is in your best interest to define the protocols and regulations that business associates, patients, and providers interacting with the organization will adhere to. There is always the potential for creating, transmitting, or receiving Protected Health Information (PHI) where manual checkpoints are involved, so it is in an organization’s best interest to automate compliance audits as much as possible.

Within the communication infrastructure of any enterprise, compliance automation boils down to

  • data encryption monitoring when creating, receiving, and transferring information
  • monitoring agents activities
  • preventing agents from sending PHI through warnings and training
  • capturing a strong audit trail (system logs, call detail logs etc.) for all the communication activity at every location the organization operates

Verifying Contact Center Compliance Overseas

Healthcare organizations doing work overseas should also verify that their systems are configured for international access to prevent violations. Many organizations offshore their call centers, or have international partners for medical and data services.

The international contact center system also needs to collect a proper audit trail to ensure PHI is safe.

  • System logs and Call Detail logs (CDR) to be collected and stored in a tamper- proof manner for a period of one year.
  • The call detail logs should contain all the necessary information to track the origination and destination of the call.
  • These logs need to be maintained at each site for the purposes of auditing.

What makes enforcing compliance challenging today?

Most solutions are

  • Extremely manual and consultant driven. Expensive and inefficient.
  • Point automation solutions. Do not solve real-world complex problems.
  • Automation mostly tech focused. People and process compliance largely manual.
  • Software covers largely task allocation & workflow automation, no true automation
  • No feedback loop to understand effectiveness of controls
  • No ownership to reduce business risk. No result oriented solution.

To fully comply with HIPAA various administrative, physical, and technical scenarios need to be considered and appropriate configurations put in place to prevent violations. Healthcare services providers should not continue communication services until the contact center can be independently verified to be communicating PHI in compliance with HIPAA. Next up, we will delve into the complexity of maintaining diverse standards and consider a strategy for unified compliance across an organization.

Related Links

OCR Breach Portal
45 CFR 160.103
HIPAA Omnibus Final Rule
HIPAA applicable software standards
FCC Declaratory Ruling and Order
Telephone Consumer Protection Act

More Articles...

The Case for Compliance Automation

Problem Statement A Global Bank (“Bank”) performed an internal audit of its voice infrastructure that revealed many compliance violations. They had 600 assets deployed around the

Read More »